MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d388917582a8cb3e76fdd2cfddd009a456feb3863328e018821bb359d74ff12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	2d388917582a8cb3e76fdd2cfddd009a456feb3863328e018821bb359d74ff12
SHA3-384 hash:	63c7af3b278d3c77d709ffd819383a428668c32eba7b7725d229fc1b15f46fa567f3220f0a09bbd4970b5c82ae51b771
SHA1 hash:	3579f9e2ace4eae0f6b98d3f125af6063637b971
MD5 hash:	25a1c05c1798e37cf9bbe174b68faacf
humanhash:	single-seventeen-coffee-cat
File name:	gtop.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	1'595 bytes
First seen:	2025-11-03 15:05:03 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:vcCMcCcTcCvWLcChNIRksc8scUZAcW+cmmJcBbcZcRascMc4kcCtXKQ:vwQ7WLyJENKczk08Qb44khXh
TLSH	T1733143CA72A344B16CA1BE6732AE881531D4D1CA98C6EF992CEC34F944CEE04F4457A3
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	gafgyt sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.115.19/arm4	a8c760bb388ab5567e3fd98006fe4bc7d66e0832139af3c526de0c87709779de	Gafgyt	elf gafgyt ua-wget
http://196.251.115.19/arm4t	n/a	n/a	elf ua-wget
http://196.251.115.19/arm5	24d041027fc805b2a992b08591e29ddc908fe7444f3acfb97421ec7972091fc3	Gafgyt	elf gafgyt ua-wget
http://196.251.115.19/arm6	b525dcf67637d16f7fa706fe3f09fcb081174b5544a85c5f26966ffa456650ba	Gafgyt	elf gafgyt ua-wget
http://196.251.115.19/i686	76cd9f11b80ef1965dbcc0f5a291128a42765eea1f5249072453745c0ec3208f	Gafgyt	elf gafgyt ua-wget
http://196.251.115.19/m68	1d4552bd34a7f0bb66ecd1182b8cda55577f75b53bd5d33153b7c61f45924b18	Gafgyt	elf gafgyt ua-wget
http://196.251.115.19/mips	d55cb83925f19c5788b9cfc1de5a8b77974ac1dfd8209bf3e67b177f2adc9235	Gafgyt	elf gafgyt ua-wget
http://196.251.115.19/mpsl	51919576254b24acac956a09ec5d40c2f984e4533f6655ec0e1fdc14ced698eb	Gafgyt	elf gafgyt ua-wget
http://196.251.115.19/ppc	9914fd97c22e39750a1103b341238ac8509f6fac719d225a0dd33334d182d8a0	Gafgyt	elf gafgyt ua-wget
http://196.251.115.19/spc	7a145aec20e0d6c25ec3f6163a4d70b00ad89854051d2680565785f46746d500	Gafgyt	elf gafgyt ua-wget
http://196.251.115.19/x86	6984aa53d93a9523a4ebf50f217a8a9a7bf7be6b50003737a2f74861e54d83fd	Gafgyt	elf gafgyt ua-wget
http://196.251.115.19/sh4	1a69acae06c495d68ca9c45e1aaa0704d4148cbeceb09319823b1f28bc310390	Gafgyt	elf gafgyt ua-wget
http://196.251.115.19/arm7	9220d7cd7f6475d8b6d939b651f41089868e5aec3c8064e331d63d5353c1a8b1	Gafgyt	elf gafgyt ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-02T07:07:00Z UTC

Last seen:

2025-11-04T10:24:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan-Downloader.Shell.Agent.cx HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen

Link:

https://opentip.kaspersky.com/2d388917582a8cb3e76fdd2cfddd009a456feb3863328e018821bb359d74ff12/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/4078e968-a483-407f-b567-7a5e2683af6c

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/2d388917582a8cb3e76fdd2cfddd009a456feb3863328e018821bb359d74ff12

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2d388917582a8cb3e76fdd2cfddd009a456feb3863328e018821bb359d74ff12/

Verdict:

Malicious

Threat:

Family.GAFGYT

Link:

https://tip.neiki.dev/file/2d388917582a8cb3e76fdd2cfddd009a456feb3863328e018821bb359d74ff12

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2025-11-03 02:41:08 UTC

File Type:

Text (Shell)

AV detection:

25 of 38 (65.79%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fu4isf2yfkglhz3p3uwp3xiatjcw72zymmzi4amieg5tlhlu74ja._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251103-sjev8ssnek/

Behaviour

System Network Configuration Discovery

Writes file to tmp directory

Reads system network configuration

Reads system routing table

File and Directory Permissions Modification

Executes dropped EXE

Detected Gafgyt variant

Gafgyt family

Gafgyt/Bashlite

Malware Config

C2 Extraction:

196.251.115.19:4444

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/2d388917582a8cb3e76fdd2cfddd009a456feb3863328e018821bb359d74ff12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.